Audit Classes Overview

The following audit classes information is taken from the Sun Solaris System Administration Guide: Security Services.

Security-relevant system actions can be audited. These auditable actions are defined as audit events. Audit events are listed in the /etc/security/audit_event file. Each audit event is defined in the file by an event number, a symbolic name, a short description, and the set of audit classes to which the event belongs.

Each audit event belongs to an audit class or classes. Audit classes are convenient containers for large numbers of audit events. When you preselect a class to be audited, you specify that all the events in that class should be recorded in the audit trail. You can preselect for event on a system and for events initiated by a particular user. After the auditing service is running, you can dynamically add or remove audit classes from the preselected classes.

"System-wide preselection: specify system-wide defaults for auditing in the flags, naflags and plugin lines in the audit_control file.
 
"User-specific preselection: specify additions to the system-wide auditing defaults for individual users in the audit_user database. The audit preselection mask determines which classes of events are audited for a user.
 
"Dynamic presentation: specify audit classes as arguments to the auditconfig command to add or remove those audit classes from a process or session.

A post-selection command, auditreduce, enables you to select records from the preselected audit records. This is the method used by the Solaris Security collector in Event Manager to retrieve the records from the audit trail.

Audit classes are defined in the /etc/security/audit_class file. Each entry contains the audit mask for the class, the name for the class and a descriptive name for the class. For example, the ps and na class definitions appear in the audit_class file as follows: 

0x00100000:ps:process start/stop
 
0x00000400:na:non-attribute